iiiiiniiiiiiiiMiiiiinininiiiiini 

US006654882B1 

(12) United States Patent (io> Patent No.: US 6,654,882 Bl 

Froutan et fllr (45) Date of Patent: Nov, 25^ 2003 



(54) NETWORK SECURITY SYSTEM 

PROTECTING AGAINST DISCLOSURE OF 
INFORMATION TO UNAUTHORIZED 
AGENTS 

(75) Inventors: Paul Froutan, San Antonio, TX (US); 

Eric Evans, San Antonio, TX (US) 

(73) Assignee: Rackspace, LTD, San Antonio, TX 
(US) 

( * ) Notice: Subject to any disclaimer, the term of this 
patent is extended or adjusted under 35 
U.S.C. 154(b) by 11 days, 

(21) AppL No.: 10/153,645 

(22) Filed: May 24, 2002 

(51) Int. CI. 7 G06F 1/24 

(52) U.S. CI 713/153; 713/189; 713/194; 

713/200; 713/201 

(58) Field of Search 713/153, 189, 

713/194, 200, 201 



(56) References Cited 

U.S. PATENT DOCUMENTS 



5,414,833 A 

5,557,742 A 

5,720,033 A 

5,892,903 A 

5,991,881 A 

6,279,113 Bl 



5/1995 
9/1996 
2/1998 
4/1999 
11/1999 
8/2001 



Hcrshcy ct al. 
Smaha et al. 
Deo 
Klaus 

Conklin et al. 
Vaidya 



Primary Examiner— Thomas R. Peeso 

(74) Attorney, Agent, or Firm — Fulbright & Jaworski L.L.P. 

(57) ABSTRACT 

A network security system provides a complete, reactive, 
Network Intrusion Detection System (NIDS) designed to 
stop a would-be hacker from gaining unauthorized access by 
blocking their connectivity to a protected network at the first 
sign of malicious activity. The network security system 
utilizes a commercially available or open source NIDS that 
can detect patterns in TCP/IP activity as well as examining 
packet headers to detect probes and attempts to compromise 
systems. The network security system then modifies the 
return route from the "victim" protected network so that 
outbound packets are never returned to the attacker. 

26 Claims, 2 Drawing Sheets 
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NETWORK SECURITY SYSTEM 
PROTECTING AGAINST DISCLOSURE OF 
INFORMATION TO UNAUTHORIZED 
AGENTS 



FIELD OF THE INVENTION 

The present invention is directed to intrusion detection for 
a computer-based system and, more particularly, to a net- 
work security system protecting a network from disclosure 10 
of information in response to maleficent message. 

BACKGROUND OF THE INVENTION 

Computer networks provide connectivity between and J5 
among computer resources connected to the network and, 
typically, remote networks and devices. A private network 
may support computer resources at a single location, e.g., a 
local area network (LAN) or at multiple locations, e.g., a 
wide area network (WAN.) The network infrastructure may 2Q 
include one or more routers for directing messages between 
and among computer resources connected to the network, 
while gateways and/or bridges connect the LAN or WAN to 
other, typically remote networks. Often, the connection to 
remote networks is provided using open or public commu- 25 
nications network facilities such as the ubiquitous Internet, 

Once a private network is connected to an open network 
or otherwise provides open access to the network, security 
of the private network becomes a paramount concern. 
Typically, some form of "firewall" is required, i.e., a system 30 
that restricts access between a protected network and the 
Internet, or between other sets of networks. The firewall may 
be implemented using one or more systems including, for 
example, a screening router, dual homes and screen-host 
gateway, a screened-subnet, and an application-level gate- 35 
way (or proxy server.) Those skilled in the art of network 
security systems use these and other components and sys- 
tems to restrict access to a protected network. 

While certain components and systems provide some 
level of protection, there is increasing need for more soph is- 40 
ticated systems to help maintain network security. A network 
intrusion detection system (NIDS) provides capabilities to 
identify and respond to malicious or anomalous activities 
aimed at networked systems. Commercial products include 
AXENT® by Axent Technologies, Inc. (www.axent.com), 45 
Cisco® by Cisco Technology, Inc. (www.cisco.com), Cyber- 
Safe® by Cybersafe corporation (www.cybersafe.com), 
Safesuite® by Internet Security System, Inc. (ISS) 
(www.iss.net), and Shadow® (www.nswc.navy.mil/ISSEC/ 
CID). 50 

Further examples of network security systems are 
described in U.S. Pat. No. 5,414,833 of Hershey, et al. 
entitled "Network Security System And Method Using A 
Parallel Finite State Machine Adaptive Active Monitor And 
Responder" issued May 9, 1995; U.S. Pat. No. 5,557,742 of 55 
Smaha, et al. entitled "Method And System For Detecting 
Intrusion Into And Misuse Of A Data Processing System" 
issued Sep. 17, 1996; U.S. Pat. No. 5,720,033 of Deo 
entitled "Security Platform And Method Using Object Ori- 
ented Rules For Computer-Based Systems Using UNIX- 60 
Line Operating Systems" issued Feb. 17, 1998; U.S. Pat. No. 
5,892,903 of Klaus entitled "Method And Apparatus For 
Detecting And Identifying Security Vulnerabilities In An 
Open Network Computer Communication System" issued 
Apr. 6, 1999; and U.S. Pat. No. 6,279,113 of Vaidya entitled 65 
"Dynamic Signature Inspection-Based Network Intrusion 
Detection" issued Aug. 21, 2001. 
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While these security systems inspect data packets and 
messages to identify attempts to gain unauthorized access to 
a network, processing upon detection of a network intrusion 
may not foil the attempt. In particular, prior art systems are 
divided into passive and reactive types. Passive systems 
monitor network traffic and generate notifications and 
reports that can be reviewed by security personnel. Reactive 
implementations perform all the functions of their passive 
counterparts but can also take immediate action to deny 
access to network resources. Most reactive NIDS systems 
are host based, the few network based implementations are 
bound to specific network hardware, specific network 
topologies, and work by completely filtering the offending 
party. Since the hosts appear unreachable to the attacker, 
reporting within the protected network is lost. 

Accordingly, a need exists for a device and method that 
protects a network from externally launched attacks while 
tracking and reporting such events. A further need exists for 
a device and method of providing network security protec- 
tion and reporting that is compatible with a wide range of 
NIDS. 

SUMMARY OF THE INVENTION 

The invention is a system for and method of monitoring 
traffic inbound to a protected network for any signs of 
malicious activity. Once an attack is detected, the system 
acts to prevent the attacker from retrieving any data from its 
target. 

According to one aspect of the invention, a network 
security system includes a router connected to a protected 
network, the router configured to selectively route incoming 
messages to respective destinations on the protected network 
as addressed by the respective incoming messages. A net- 
work intrusion detection system (NIDS) connected to the 
protected network operates to detect any attack on the 
protected network associated with one or more of the 
incoming messages. A control system on the network oper- 
ates to cause the router to selectively redirect a reply 
message associated with the one incoming message to an 
alternate terminus on the protected network in response to 
the NIDS detecting the attack (i.e., an offending message). 

According to a feature of the invention, a GateD server is 
connected to the protected network wherein the reply mes- 
sage associated with the offending incoming message is 
initially addressed to an offending off-network IP address 
associated with the incoming message prior to rerouting by 
the router. In this case, the GateD server stores (i) the 
offending IP address associated with the incoming message 
and (ii) a static route pointing the offending LP address to the 
alternate terminus on the protected network. 

According to another feature of the invention, the control 
system may further include a routing server storing a routing 
table. The routing server may include a GateD server. 

According to another feature of the invention, the control 
system may be configured to execute a network routing 
daemon that understands a plurality of protocols including at 
least one or more of BGP, EGP, RIP, RIP II, OSPF, and 
HELLO. In this case, the NIDS may be configured to 
monitor the incoming messages to detect predetermined 
patterns of TCP/IP activity indicative of the attack on the 
protected network. 

According to another feature of the invention, the NIDS 
may be configured to monitor packet headers of the incom- 
ing messages to detect probes. 

According to another feature of the invention, the NIDS 
may be configured to monitor the incoming messages to 
detect one of: 
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(i) a network resource anomaly including activity thai is 
different from a predetermined normal behavior; and 

(ii) a network resource misuse including activity corre- 
sponding to known intrusion techniques, a known 
intrusion signature, and/or known system vulnerabili- 
ties. 

According to another feature of the invention, the NIDS 
may be configured to notify the control system of detecting 
the attack via a (i) system log (syslog) and/or (ii) Simple 
Network Management Protocol (snmp) trap. 

According to another feature of the invention, the NIDS 
may be configured to mirror ports addressable correspond- 
ing to the destinations on the protected network. 

According to another feature of the invention, the router 
may include a routing table, the control system configured to 
introduce to the router a preferred route into the routing 
table. The preferred route is effective to selectively redirect 
the reply message to the alternate terminus on the protected 
network. The alternate terminus on the protected network 
may be a system configured to analyze the reply message to 
identify network vulnerabilities of the protected network. 

According to another feature of the invention, the control 
system may be configured to put an Exterior Gateway 
Protocol (EGP) neighbor corresponding to a destination of 
the reply message into a down state and generate a corre- 
sponding egpNeighborLoss trap. 

According to another feature of the invention, the control 
system may redirect the reply message to the NIDS. The 
NIDS may then operate to analyze the reply message to 
identify network vulnerabilities. 

According to another aspect of the invention, a network 
security system includes a protected network configured to 
route a message between (i) a plurality of network nodes and 
(ii) at least one external node. A router connected to the 
network receives the incoming message from the external 
node and selectively route it to the addressed network node. 
A NIDS monitors the incoming message to the protected 
network and provides an indication of an attempt to gain 
unauthorized access to the protected network. A control 
system is responsive to an attack so as to cause the router to 
selectively redirect to a one of the network node on the 
protected network a reply message associated with the 
incoming message in response to the NIDS detecting the 
attack. 

According to another aspect of the invention, a method of 
operating a network security system includes a step of 
selectively routing a message incoming to respective desti- 
nations on a protected network. A step of detecting an attack 
on the protected network associated with one of the incom- 
ing messages initiates a selective redirection of a reply 
message associated with the associated incoming message to 
a destination on the protected network (instead of to the 
external address) in response to the step of detecting the 
attack. 

Additional objects, advantages and novel features of the 
invention will be set forth in part in the description which 
follows, and in part will become apparent to those skilled in 
the art upon examination of the following or may be learned 
by practice of the invention. The objects and advantages of 
the invention may be realized and attained by means of the 
instrumentalities and combinations particularly pointed out 
in the appended claims. 

BRIEF DESCRIPTION OF DRAWINGS 

The drawing figures depict the present invention by way 
of example, not by way of limitations. In the figures, like 
reference numerals refer to the same or similar elements. 



4,882 Bl 

4 

FIG. i is a simplified block diagram of a security system 
connected to a protected network for inhibiting return mes- 
sages to an external node mounting an attack against the 
network; 

5 FIG. 2 is a simplified block diagram of message rerouting 
flow performed by a security system upon detection of an 
attack on the protected network from an external node; and 
FIG. 3 is a flow chart of a method of detecting and 
inhibiting reply messages to an attacking node or in response 

10 to an attack. 

DETAILED DESCRIPTION OF THE 
INVENTION 

15 A network security system according to the invention 
provides a complete, reactive, NIDS designed to stop a 
would-be hacker or "a hacker" from gaining unauthorized 
access by blocking their connectivity to a protected network 
at the first sign of malicious activity. The network security 

2Q system utilizes a commercially available or open source 
NIDS that can detect patterns in TCP/IP activity as well as 
examining packet headers to detect probes and attempts to 
compromise systems, it then modifies the return route from 
the "victim" protected network so that outbound packets are 
never returned to the attacker. Suitable NIDS include 
Cisco's NetRanger™, NFR Flight Recorder™, ODS 
CMDS, ISS RcalSecurc SAFEsuite™, Shadow™, Tripwire 
Enterprise™, NAI Cybercop™, AXENT OmniGuard™ and 
Intruder Alert™, eTrust Intrusion Detection™, CyberSafe 

3Q Centrax™, Security Dynamics Kane Security Monitor™ 
and others. 

The network security system preferably includes a NIDS 
that is capable of sending external notifications via syslog, 
or snmp traps, and is compatible with a network configu- 

35 ration that utilizes the Border Gateway Protocol (BGP) for 
routing. When an attack is detected, the return route from 
machines (i.e., nodes) in the protected network is modified. 
Modification of the return route to circumvent responding to 
the attach is an improvement over designs that simply filter 

40 the attacker because, while hosts will appear unreachable to 
them, reporting within the protected network is not lost. 
Thus, once the NIDS detects an attack, the network security 
system acts to prevent the attacker from retrieving any data 
from its target, However, servers on the protected can still 

45 see the attempted attack, but no data will be sent back to the 
attacker. Once an attacker is identified, its identity may be 
communicated to other network security systems on other 
networks to "black hole" the attacker from receiving 
responses. 

50 Referring to FIG. 1, a protected network 101 includes a 
plurality of machines or nodes 102-105. Although depicted 
in the present illustration as personal computers, the nodes 
may be any addressable device, system, subnetwork, router, 
gateway or similar device or structure. Nodes 102-105 are 

55 connected to each other and to router 107 via a communi- 
cations infrastructure such as wide area network (WAN) 
106. WAN 106 may be any suitable network architecture 
including, for purposes of example only, an Ethernet based 
system. 

60 Router 107 may also include a gateway functionality to 
interconnect WAN 106 to Internet 111. Router 107 may be 
a conventional device compatible with BGP such as sold by 
Cisco® and others. NIDS 110 is placed in a position to 
monitor all incoming traffic to protected network 101. This 

65 is achieved by mirroring the ports used by inbound traffic on 
router 107. Multiple NIDS may be required depending on 
the amount of incoming traffic and the capacity of the server. 
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A network security controller 108 preferably runs a GateD After receipt and processing by the addressed node 102, 

server, and is configured as a BGP peer to the router, 103, 104 or 105, the node transmits back a reply message to 

Network security controller 108 may be implemented on a the offending IP address. Topically, this IP address is the 

conventional platform such as a personal computer, same as that of the originator IP address associated with the 

workstation, dedicated processor, system, etc. 5 incoming message. However, having a new route designated 

As one skilled in the art would understand, the GateD for the offending IP address, router 107, rather than passing 

server portion of security controller 108 is a modular soft- the message on to Internet 111, instead routes the message 

ware program consisting of core services, a routing to network security controller 108 and a phantom node or 

database, and protocol modules supporting multiple routing "black hole" 112. Network security controller 108 can then 

protocols including RIP versions 1 and 2, DCN HELLO, 3Q coordinate with NIDS 110 to analyze the attack. 

OSPF version 2, EGP version 2 and BGP version 2 through xhe GateD server used as part of security controller 108 

4 (the last being preferred in the present embodiment). Using ^ a BGP ne i g hbor of all WAN routers on the network 

GateD a network administrator and/or network security incmd ing router 107. If route-reflectors are used, then only 

controller 108 can control import and export of routing a session ^ the route . reflectors ^ required< when MDS 

information by individual protocol by source and destina- uo aQnounces an offendi ip address t0 the GateD Mrvcr 

tion autonomous system, source and destination interlace, 1J ^ ™ M „ t ^u~* mo .u^.^n aa 

■ * j . £ , ^ , , rj* 1 of network security controller 108, the GateD server adds a 

previous hop router, and specific destination address, lne . .... /-i u- u • \ .u & a- t™. ,l 

network administrator and network security controller 108 route to its tables which points the offending IP to the 

can further specify a preference level for each combination lo ™ { m{ f™'™* route 15 then jnlioduccd into the routing 

of routing information being imported by using a flexible ! able * ° f a11 WA * outers including router 107 and since it 

masking capability. Once the preference levels are assigned, 20 * a y32, it is preferred over all other routes. All offendmg 

GateD makes a decision on which route to use independent traffic destined outside protected network 101 is then 

of the protocols involved. Accordingly, GateD capabilities to diverted to the GateD host, i.e., network security controller 

handle dynamic routing with a routing database built from 108, At that point, the traffic can be analyzed or simply 

information exchanged by routing protocols allows network discarded. This implementation allows the victim (e.g., node 

security controller 108 to readily redefine routing as neces- 25 102, 103, 104 or 105) to see all incoming traffic. However, 

sary to circumvent completion of a reply message to an outgoing traffic from the victim that is used to discover and 

attacker. exploit vulnerabilities will never reach the attacker. For 

The Border Gateway Protocol (BGP) is an inter- example, if a sweep is detected by NIDS 110, network 

Autonomous System routing protocol having the capability security controller 108 immediately acts to block traffic so 

to exchange network reachability information with other 30 the attacker does not receive any responses. The attacker 

BGP systems. This network reachability information then cannot discover any information about the servers in 

includes information on the list of Autonomous Systems the network and is forced to move on. 

(ASs) that reachability information traverses. A Border A method according to the invention is presented in FIG. 

Gateway Protocol 4 (BGP-4) is defined in RFC-1771 and 3. Therein after beginning the method at step 301, a message 

related documents including RFC-1657; RFC-1772-1774; 35 addressed to one of the nodes on the protected network is 

RFC-1965; RFC-1966; and RFC-1996-1998. received at step 302. The NIDS makes an initial check at 

Referring to FIG. 2, and incoming message to the pro- step 303 to determine whether the message is an intrusion 
tected network is received from, in this example, Internet attempt. The NIDS may check for activation such as a 
111 and is routed to both router 107 and NIDS 110 as malicious pattern of TCP/IP activity (or equivalent in con- 
indicated by arrow 201. NIDS 110 monitors and analyzes the 40 nection with other protocols). If the message does not 
incoming message traffic for malicious activity. Detection of represent an attack on the network, it is passed to the 
malicious activity may include anomaly detection and sig- addressed node at step 304 and processing terminates until 
nature recognition. Anomaly detection includes recognition receipt of any next incoming message. Alternatively, if the 
of statistical anomalies by establishing a baseline of certain message does represent a threat to the network or to a node 
activities such CPU utilization, disk activity, user logins, file 4s on the network, then a check is performed at step 305 to 
activity, etc. Then the NIDS responds to a deviation from determine if the message is so dangerous as to warrant 
this baseline. Signature recognition is based on examination blocking it from the network. Thus, inherently dangerous 
of network traffic to identify known patterns of attack. This messages are trapped at step 306 or routed (possibly in an 
requires that, for each hacker technique, the NIDS must be encapsulated form) to the NIDS for analysis and/or logging 
programmed to recognize the technique. For example, sig- 50 of the attempt. Messages which represent an intrusion attack 
nature recognition may be implemented based on a pattern but are eligible for routing to their destination node on the 
matching method. In this case, the NIDS examines all network are processed at step 307 to identify the offending 
incoming packets for the pattern "/cgi-bin/phf?", which may IP address, e.g., the IP address of the message originator or 
be indicative of an attempt to access a vulnerable CGI script other node to which a reply is to be directed by the target 
on a web-server. Other similar and more sophisticated 55 addressed node. Using the offending IP address, a trap or 
techniques of analysis may also be employed. redirection based on the offending IP address is established 

If NIDS 110 identifies the incoming message as an attack at step 308. As detailed above, the trap or redirection is 

on the network, it generates an alert message to network performed by the network security controller manipulation 

security controller 108. In response, network security con- of updates in its GateD server to announce to router 107 a 

troller 108 manipulates updates in its GateD server to 60 new route for the offending IP address. Once the redirection 

announce to router 107 a new route for the offending IP had been established, the message is passed to the target 

address. Whether or not a network intrusion or attack is addressed node at step 309. 

detected, unless the message is itself harmful to the Outgoing messages are monitored at step 310 for routing 

addressed node, the message is routed to the target node as so that, effectively, the redirection causes the offending 

shown by arrow 112. Alternatively, messages considered to 65 message to be captured instead of being routed to its original 

be harmful to the network may be blocked from the network destination. At step 311 the offending message is analyzed to 

and/or the session can be forced to terminate. identify network vulnerabilities. 
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Aitliuu^li iiie picseui embodiment of the invention has urea io monitor said incoming messages to detect predeter- 

been described in terms of specific divisions of mined patterns of TCP/IP activity indicative of said attack 

functionalities, it is understood that other divisions and on the protected network. 

architecture may be implemented. For example, the NIDS, 7. The network security system according to claim 1 

security controller, and GateD functions may be provided on 5 wherein said network intrusion detection system is config- 

a single or multiple platforms in various combinations and ured t0 monitor packet headers of said incoming messages 

configurations. Further, while the present embodiment t0 detect probes 

depicts a single WAN as the protected network, the inven- g ^ nelwork according to claim 1 

tion is applicable to LANs and multiple WANs 1 of a variety wherein said network imnJsion g fc CQnfi 

of configurations. Additionally, while a TCP/IP protocol is 1Q ured tQ monitor sgid incomi m & to detect Qne of . 

mentioned, the invention is applicable to a wide range of ,„ , .... 

data communications systems and methods. Thus, while the « ? :* e tw °* resource anomaly including activity that is 

foregoing has described what are considered to be preferred dlfferent from a Predetermined normal behavior; and 

embodiments of the invention, it is understood that various (") a network resource misuse including activity corre- 

modifications may be made therein and that the invention sponding to known intrusion techniques, known intru- 

may be implemented in various forms and embodiments, sion signature, and/or known system vulnerabilities, 

and that it may be applied in numerous applications, only 9. T° e network security system according to claim 1 

some of which have been described herein. It is intended by wherein said network intrusion detection system is config- 

the following claims to claim all such modifications and ured to notify said network security controller of detecting 

variations which fall within the true scope of the invention. said attack via one of a (i) system log (syslog) and (ii) 

It should further be noted and understood that all Sim P le Network Management Protocol (snmp) trap, 

publications, patents and patent applications mentioned in 10 ^ nctwork secunt y svstcm according to claim 1 

this specification are indicative of the level of skill of those wherein said network intrusion detection system is config- 

skilled in the art to which the invention pertains. All ured to rairror P orts addressable corresponding to said 

publications, patents and patent applications are herein 2S destinations on said protected network, 

incorporated by reference to the same extent as if each 11 The network security system according to claim 1 

individual publication patent or patent application was spe- wherein said router deludes a routing table and said network 

cifically and individually indicated to be incorporated by security controller is configured to introduce to said router a 

reference in its entirety. preferred route into said routing table, said preferred route 

What is claimed is* configured to selectively redirect said reply message to said 

1. A network security system for a protected network, 3 ° aIternate terminus on the protected network. 

• m 12. The network security system according to claim 11 

a router connected to the protected network and conflg- wherein said al,emate *™inus on the protected network 

ured to selectively route incoming messages to respec- uprises a system configured to analyze said reply mes- 

tive destinations on the protected network addressed by 35 XJrl vulnerable* of the protected 

respective ones of said incoming messages; ' . . 4 t , . , 

v , j ». 1 j c 13- The network secunty system according to claim 1 

a NIDS connected to the protected network and config- wherein said {s &aid netwQrk intmsion 

ured to detect an attack on the protected network detection systcm . 

associated with one of said incoming messages; and u ^0 Network security system according to claim 1 

a network security controller connected to the protected 40 whefein said aUernate terminus emprises a node on said 

network and configured to cause said router to selec- protected network. 

lively redirect to an alternate terminus a reply message 15 Jhe Qetwork security system accordiag to daim 1 

associated with said one incoming message in response whefein gaid CQntrol system ^ cotlfigured t0 put an 

to said network intrusion detection system detecting Gateway Protocol (EGP) neighbor corresponding to a des- 

said attack. 45 | ma ^ on 0 f sa j d re pjy message into a down state and gener- 

2. The network security system according to claim 1 Mes a corresponding egpNeighborLoss trap. 

further comprising a GateD server connected to the pro- 16 The netWQrk security system according t0 claim x 

tected network, wherein said reply message associated with wher ei D said network security controller is configured to 

said one incoming message is initially addressed to an redifect &aid . message to said netW ork intrusion detec- 

offending IP address associated with said incoming message 50 t - Qn system 

prior to rerouting by said router, and said GateD server is 17 ^ network security system according to claim 16 

configured to store (i) said offending IP address associated wherdn said netWQrk intnisiorj dete ction system is config- 

with said incoming message and (n) a static route pointing Ufed tQ Mal said j message to identify network 

said offending IP address to said alternate terminus on said vulnerabilities. 

protected network. 55 is. A network security system, comprising: 

3. The network security system according to claim 1 , c , t 

. . , , , •> . ii c, -«u v., n a protected network configured to route messages 

wherein said network security controller further comprises a £ * ..... 6 

t / . ui between (l) a plurality of network nodes and (u) at least 

routing server storing a routing table. l h 

4. The network security system according to claim 3 one exleraal nocle i 

wherein said routing server comprises a GateD server. 60 * router connected to said protected network and config- 

5. The network security system according to claim 1 "red to receive incoming messages to said protected 
wherein said network security controller is configured to network from said external nodes and to selectively 
execute a network routing daemon that understands a plu- rout e said incoming messages to ones of said network 
rality of protocols including at least one of BGP, EGP, RIP, nodes addressed by respective ones of said incoming 
RIP II, OSPF, and HELLO. 65 messages; 

6. The network security system according to claim 1 a network intrusion detection system connected to said 
wherein said network intrusion detection system is config- protected network and configured to monitor said 



04/01/2004, EAST Version: 1.4.1 



US 6,654,882 Bl 

9 10 

iucumiug messages io said protected network and pro- said incoming message and (u) a static route pointing said 

vide an indication of an attempt to gain unauthorized offending IP address to a local interface, 

access to said protected network; and 22. The method according to claim 19 wherein said 

a network security controller connected to said protected detecting step further comprises a step of detecting prede- 

network and configured to cause said router to selec- 5 term ined patterns of TCP/IP activity indicative of said attack 

lively redirect a reply message associated with said one on said protcctc d network. 

incoming message in response to said network intru- 23 ^ method according t0 claim 19 wnerein said 

sion detection system detecting said attack. . , . , - . . t c , t . 

1fl . .l j * * i , detecting step further comprises a step of detecting incoming 

19. A method of operating a network security system, & f , , , 

comprising the steps of: io P robes 10 said P rotected network - . 

, , . . , 24. The method according to claim 19 wherein said step 

selectively routing messages incoming to respective des- P t • % «• . r i • . 

tinations on a protected network; of ^«™\y redirecting further comprises a step of mtro- 

, . „ , • j , . » . * . , , ducing a preferred route into a routine table, said preferred 

detecting an attack on said protected network associated ~ , . , . 

with one of said incoming messages; and „ route ^figured * selectively redirect said reply message to 

, „. , i • * j -.1. said alternate destination, 

selectively redirecting a reply message associated with _ . , 

said one incoming message to an alternate destination 25 ' ™ e method accor *°S to claim 19 further composing 

in response to said step of detecting said attack. a ste P of redirecting said reply message to a network 

20. The method according to claim 19 wherein said reply intrusion detection system. 

message is initially addressed to an offending IP address 2 o 26 * The metnod according to claim 25 further comprising 

associated with said incoming message prior to said step of a step of analyzing said reply message to identify network 

selectively rerouting. vulnerabilities. 

21. The method according to claim 20 further comprising 

a step of storing (i) said offending IP address associated with ***** 
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